Skip to content
Configuration files for unlocking and mounting encrypted SD-cards automatically
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
icon
polkit-1/localauthority/50-local.d
rpm
systemd/system
udev/rules.d
LICENSE
README.md

README.md

crypto-sdcard

Configuration files for unlocking and mounting encrypted SD-cards, using udev, udisks2, polkit and systemd.

Note that for devices (e.g. Jolla 1 phones aka "sbj"), which need Qualcomm's qcrypto kernel module to be loaded in order to support modern cryptographic schemes as e.g. XTS, a separate edition is provided.

Extensively tested with systemd 225 (which includes udev), udisks2 2.7.5 and polkit 0.104 (e.g. SailfishOS 2.2 / 3.0, which provides aforementioned environment).
Built RPMs are available in the release section and for easy installation under SailfishOS at OpenRepos.

The necessary steps to prepare an SD-card (or any other removable storage) are described at Together.Jolla.com.
Note that the "key"-files reside unencrypted on fixed, internal mass storage, as mobile devices usually have only a single user, who unlocks the whole device.
Thus crypto-sdcard solely protects "data at rest" on SD-cards and other removable storage, i.e. specifically when the device is locked or switched off (and the SD-card may be taken out).

Features:

  • These configuration files do not alter, replace or delete any extant files.
  • Support of encrypted partitions and whole devices.
  • Support for (µ)SD-cards and USB-attached storage (if supported by device hardware and Operating System).
  • Support for Cryptsetup LUKS and Cryptsetup "plain".
    • Note that SailfishOS just recently (with v3.0.3) switched to Cryptsetup 2, and so did most (desktop) Linux distributions. For interoperability with extant Linux installations and commonality with SailfishOS before v3.0.3, which provide Cryptsetup 1.x (therefore only support LUKSv1 headers), the "partitioning guide" aims at creating LUKSv1 headers.
    • As Cryptsetup reads the cryptography parameters from the LUKS header and Cryptsetup 2 supports both v1 and v2 headers, crypto-sdcard shall work fine with any LUKS header version and parameters, which are valid for the installed Cryptsetup version.
    • For Cryptsetup "plain" (only to be used, when "plausible deniability" is a must), crypto-sdcard has to provide the cryptography parameters and uses "-h sha1 -s 256 -c aes-xts-plain" by default. While these parameters are optimised for speed, low power consumption, interoperability and sufficiently strong security for the next decade (including the specific use of SHA1 for hashing a pass-file down to 160 bits), other parameters may be set for unlocking Cryptsetup "plain" in /etc/systemd/system/cryptosd-plain@.service
  • Start mounting encrypted (partitions on) SD-card via udisks at the earliest sensible time: Right after udisks2.service has started.
  • Unmount before udisks2 begins stopping, hence achieving a clean unmount.
  • Ensure, that AlienDalvik (specifically alien-service-manager.service) begins starting after mounting succeeded, to allow for android_storage on SD-card. Even more importantly this also ensures, that unmounting occurs only after AlienDalvik is completely stopped.
    Nevertheless, these configuration files are also applicable to devices without AlienDalvik installed.
  • Boot time is not significantly prolonged, as unlocking encrypted partitions per Cryptsetup occurs in parallel to starting udisks2; after both succeeded, all mount operations are also started concurrently.

Version history:

  • v1.2
    Significantly altered versioning scheme, git tags naming and archive file names. For details see the release information.
  • v1.1
    Following the changes in SFOS-next to allow any interactive user (i.e., not just nemo) to mount an SD-card. Hence v1.1 requires at least SailfishOS 3.2.1.
    Note that mounting is still restricted to users, who belong to the Unix-group system, in contrast to e.g. mount-sdcard.
  • v1.0
    Due to another round of significant spec-file changes (completely removed SalifishOS dependencies and all %post scriptlets), increasing the version number again.
  • v0.6
    A few small, but significant enhancements (since v0.5-5) are finally reflected in another version number increase.
    "Key"-file path and names are now:
    • For Cryptsetup LUKS: /etc/crypto-sdcard/crypto_luks_<UUID>.key (since v0.3)
    • For Cryptsetup "plain": /etc/crypto-sdcard/crypto_plain_<device-name>.key (since v0.5-7)
    • A specific <UUID> can be obtained by executing blkid -c /dev/null -s UUID -o value /dev/<device-name> with e.g. mmcblk1p2 as <device-name>.
  • v0.5
    Although the installed configuration files are unaltered since v0.4-3, the spec-file ("RPM packaging") changes have been significant, so it ultimately earns an increased version number.
  • v0.4
    Optimised configuration file names.
    RPM spec file provided.
  • v0.3
    Switched to a UUID-based "key"-file naming scheme for LUKS partitions to allow for swapping encrypted SD-cards easily and moved "key"-files into a directory. Missed to properly implement this change for "plain" partitions, as they have no UUID!
    Hence the "key"-file path and names have changed again (please rename your "key"-files accordingly):
    • For Cryptsetup LUKS: /etc/crypto-sdcard/crypto_luks_<UUID>.key
    • For Cryptsetup "plain": /etc/crypto-sdcard/crypto_plain_.key
  • v0.2
    Fixed automatic mounting of DM-Crypt "plain" partitions.
    "Key"-file path and names are altered (please rename your "key"-files accordingly):
    • For Cryptsetup LUKS: /etc/crypto_luks_<device>.key, e.g. /etc/crypto_luks_mmcblk1p2.key
    • For Cryptsetup "plain": /etc/crypto_plain_<device>.key, e.g. /etc/crypto_plain_mmcblk1p2.key
  • v0.1
    Initial check-in of the last version at TJC.
    "Key"-file path and names are /etc/<device>.key, e.g. /etc/mmcblk1p2.key
You can’t perform that action at this time.